IFSM 432 Risk Assessment Exercise Spreadsheet - Group 3v2

RISK ASSESSMENT FORM Project Name IFSM Risk Assessment Assignment (Group x) Prepared By Group x Date Business Area Risks Identified Description Impact Intensity Existing Measures Mitigation Strategy Additional Measures Contingency Plan Accounting Record business transactions High Risk Avoidance Accounting Invoices Likely 40-70% High backup hubs systems have a solid BCP in place Subscribe to cloud system Accounting Customer Account Data Unlikely: 11-40% High Risk Transference Accounting Accounts Payable/Receivable High Risk Limitation Human Resources Acquisitions & Mergers Unlikely: 11-40% Medium Risk Limitation Human Resources Medium Risk Avoidance Human Resources Employee Data Medium Risk Limitation Human Resources Employee Training High Risk Limitation Information Technology (IT) Data Centers and Facilities Medium Risk Limitation Information Technology (IT) High No current measure exist. Risk Limitation Information Technology (IT) Software Management High Risk Limitation Information Technology (IT) Merge Software & Hardware Low Risk Limitation Funding is available. Marketing Low N/A Risk Limitation N/A Marketing Customer Retention Database Unlikely: 11-40% High Operational data is retainedRisk Limitation Marketing High A BCP will need to be creat Risk Limitation Marketing Unlikely: 11-40% Medium Risk Limitation Operations Account Management High N/A Risk Limitation N/A Operations Unlikely: 11-40% Medium Risk Transference Operations Incident reporting database Unlikely: 11-40% Low Risk Acceptance Operations Supply Chain Likely 61-90% High Advanced orders Have a solid BCP in place Business processes associated with area (identify four or more processes associated with the business area) Probability of Occurrence Justification for probability of Occurance - Why did you select this? Justification for Impact Intensity - why did you classify as you did (high, medium or low?) Justification for selecting your mitigation strategy. Why? Transactions were interrupted during a recent software update on the system database during peak hours. The IT department released updates during business hours to ensure systems were in compliance and secured. Likely to occur: 61- 90% The IT department currently has no guidance detailing acceptable software policies and when they are appropriate to be deployed. Pushing updates during peak hours can disrupt several transactions and poses a threat to the operations of the business. No existing measures are in place. The IT has been working to standardize infrastructure and software policies across the company. It is important to keep the integrity of all business transactions to ensure that operations run smoothly. Work with the CIO to ensure that guidance is written to prohibit the deployment of any software update that could impact operations during business hours. All updates or changes to operations should be pre-approved by the CIO and/or whoever the CIO delegates that responsibility to. In the event that updates need to be deployed during business hours, ensure the IT department conducts these updates one at a time to minimize disruptions and to ensure that there is redundancy available at all times. Poor records keeping/ Missing invoices Leads to less or no payment Hardware and software are burnt no access to invoices Inability to generate invoices Having a BCP in place will insure continuous supply Develop the habit to download weekly report Severe Weather Event causing Damage to Data Center HVAC systems Customer account data is critical and if power is affected for very long periods, data corruption can occur. HVAC systems cause high power drain on generator and UPS, and power issues can cause cooling damage Since servers and data network equipment rely on proper humidity and power purity levels Data is backed up on a daily basis to onsite and offsite locations Data is backed up in the event of server malfunction. HVAC contractor with 24x7 standby availability Migration of Accounting Information and processes to an external Cloud Provider. Security Breach from Spyware, Ransomware, Hacker related infiltration Infection of Corporate Data stores due to virus, malware and Ransomware. May occur about thalf of the time: 41-60% Servers and database systems are protected with firewalls, client and server level anitvirus and antimalware software. All financial information can be failed over or restored from tape with minimal loss but restoration of services can be lengthy from certain attacks All financial data is replicated to other facilities. Servers and database systems are protected with firewalls, client and server level anitvirus and antimalware software. Securing operations of any financial data, regardless of where it is stored. Disgruntled Employee can extract sensitive Asset information on current and possible future acquisitionsand expose it An insider can steal private corporate information and use it against management This insider attack is rare and the tendency that this employee will be traced to the leak is high and be identified Attacks like this are rare and if stolen Merger & Acquisition information were to leak out the employee responsible would be held accountable The Business Continuity Plan currently does not cover such a leak Taking steps to reduce the risk of corproate data leakage through a disgruntled employees will reduce the danger of this happening. Ensure that all corporate data is role-based and user level permissioned. Any data that is touched is logged, also lock down computers for usb devices. Create a Business Continuity Plan that includes data leakage. Compensation, Benefits, Bonus Management, Annual Reviews, Performance Improvement Plans, Employee Awards Merged HR systems from acquired companies can create errors and inefficiencies The current HR systems in NewOpticMarketi ng and the two recent acquired companies are not properly alighned to efficiently handle HR functions, which can effect adversely employee performance. Very Likely: 91%- 100% Separate HR systems for the same unified company cannot function. Discrepencies between the two might cause inconsistencies between the companies when it comes to processes such as promotions and disciplinary actions. Misaligned HR systems may hinder employee retention, where promotions are not processed timely, or causing valuable skilled employees to leave the company where hard-to-replace knowledge may be lost. Each company is still handling their own HR processes, a unification under a single HR system is needed. A single, unified HR system is required to centralize and streamline all HR functions.This will avoid the pitfalls of the current multiple HR systems. HR personnel need to pay close attention to the employees to ensure that the current HR system issues are not hindering performance or morale. Corporate Management should being consider a single HR system. All employee data and status are replicated to other facilities if the need to restore is requested. Employee data is lost due to corruption in database Employee information must be protected and archived for a certain number of years according to federal guidance under Data Retention protocols May occur about half of the time: 41-60% Tends to be likely when companies merge and HR systems are combined that may have different data retention guidelines Generally all records for employees are kept for many years beyond federal requirements but if corruption occurs, the data must be restored and tested Tape Backups and data replication to other facilties protects this data. Limiting the risks to the employee data should already be adequate. Current Daily Backups of the Employee data, and off site replcation ensures that the data is protected. Create a Business Continuity Plan and the possible migration of Employee Information and processes to an external Cloud Provider. The employee training platform had a major bug that would not allow employees to play videos. It was later discovered that an update was released to correct this issue. Software patches and updates are constantly being released to address bugs or to improve the customer experience. The training platform was not updated during the last deployment. Very Likely: 91- 100% Every information technology company is different and release updates at different times and/or on-demand making it impossible to deploy every update as soon as it's available. Although the employee training database does will not impact everyday operations, software bugs are common and can affect a variety of services and functions to include critical ones. No existing measures are present for this scenario. The IT department manages all software related issues for any IT asset. Emergency patches and updates can be performed outside patching hours for critical vulnerabilities or issues with consent and approval from the CIO. Once it has been determined that a server is in need of an update to remediate a known issue, the IT department will work with the vendor to obtain the latest version of the patch and verify that the patch is ready for production. This information must be presented to the CIO which will then make the appropriate determination on whether or not this patch needs to be deployed immediately. Acquired Company need to have improved integration with IT Infrastructure Poor integration of merged IT systems, Accounting/ERP systems, Inventory Management, can lead to ineffeciencies and errors. Likely to Occur:61- 90% Poor integration in the Infrastructure can cause issues where merged systems converge The IT Infrastructure controls all software and hardware where procsssing occurs, which is where errors and inefficiencies can occur. Utllize IT staff and and 3rd party vendors to improve infrastructure integration Management has approved funding. Analyze merge inconsistencies in the infrastructure. Review the Inconsistencies documented within infrastructure, then redesign Ensuring Data is well managed and protected Information Risk such as Malware dangers including poor password management, man- in-the-middle attacks, ransomware, viruses, spyware, DDOS, SQL Inections an d trojans. All workstations, laptops, mobile devices, servers that touch corporate systems are vulnerable and can be compromised. Hacked passwords can allow accesss to sensivitve systems and possible loss of data due to corruption or worse under Ransomware where data must be unlocked at great expense. Likely to Occur:61- 90% Corporations are under constant attack from hackers, through spoofed emails to social engineering methods. Support systems, particularly the shift to internet and the world wide web were not covered by the Business Recoveyr plan. Corporate data could be corrupted or stolen or held for ranson if compromised Currently no policies exist for controling limiting the effect of a malware outbreak. Review of all firewalls policies and current FW software, regulation of security patches to ensure all systems are up to date and protected on a scheduled basis, deployment of desktop protection software and ensuring mail systems are covered by multiple antivirus scanners. Business Continuity Plan creation,WebSite data backup protection designed and built, Policies written to ensure protection of all client and server computer systems and Data networks. Software not kept up to date on security updates Software could be end of life and no longer supported meaning security patches will not be current. Very unlikely to occur: 0-10% Software that is end of life is no longer updated to protect against current threats End of life software exposes systems to new threats that the software was not designed to protect agains. Review all current client and servers softwar to ensure it meats all current security standards After reviewing all current software, ensure that all can be upgraded and if not review more secure alternatives. Review industry standards for all current software and if a system does not meet policies in the future, be ready to choose an alternative that provides same capabilities Isolate or replace software that does not meet security standards and policies. Identify all hardware and software that is incompatible with the new merged infrastructure. Current hardware and software may not be best suited for a merged infrastructure. Very unlikely 0- 10% Incompatible software and hardware can delay proper merging of systems or cause poor data integration Most software applications and hardware architectures, are modern enough to integrate with most other systems Set aside budget for hardware and software upgrades as needed. Create a master list of all hardware and software and identity end of support products and begin to research upgrades or alternatives. Isolate or replace hardware and software that does not meet standards and policies. Research & Strategy Development Catastrophic Event or Other Natural Disaster Lost opposition research will require a new planning cycle to re-certify advertising investment strategy Very Likely: 91- 100% Data systems hosting opposition research are unlikely to be recovered following a catastrophic event Rapidly changing business environment minimizes the value of historical opposition research Non-sensitive data should accessible across all facilites using collaboration tools like SharePoint Publish changes to emergency action plan The database server was damaged due to the HVAC in the server room being damaged causing the servers to run hot and preventing new customer information to be saved during that timeframe. HVAC systems are crucial to the operation of servers since they regulate their temperatures. Although it is likely for an HVAC system to fail, it is very unlikely for this failure not to be caught early ensuring that servers do not reach peak crucial temps. Issues with the HVAC system in the server room can affect more than the retention database. It could affect any system in that room and their specific function. All data with the exception of Accounting replicates across each locations meaning that redundancy and backups are available. Monitoring tools can be set in place to monitor the temperature of the server room and every system in that room. In the event of a server room disruption, all transactions and operations will be transferred to an alternate location until operations can safely resume. Web Advertising & Mail Marketing Data, Online Advertising A Fire Event causing Damage to Data Center and storage facilities could cause loss of valuable marketing data and advertising material which would be difiicult to recreate and WebServer outage could affect sales. A Fire Event could affect promotional events for extended periods if webservers are destroyed or data corruption occurs Very Likely: 91- 100% This risk has already been realized when there was a fire at HighPoint Hosting facility destroying 75 Web Servers A fire occurred at the web hosting facility affecting customer ticket sales causing a failure of delivery of a marketed product, if a fire were to occur at another facility, the reputation and overal health of the company could be affected. Data Backup under the Disaster Recover plan has already covered protection of the Marketing data. In the event of a disaster such as the fire event, additional data center failover scenarios should be identified Creation of a Business Continuity Plan Marketing Client Relations Information & Trending Disgruntled Employee can extract sensitive customer information and expose it An insider can steal customer private information and customer trending data and extort the company or sell to competitors gaining and unfair advantage This insider attack is rare and the tendency that this employee will be traced to the leak is high and be identified Attacks like this are rare and if stolen marketing information were to leak out the employee responsible would be held accountable The Business Continuity Plan currently does not cover such a leak Taking steps to reduce the risk of marketing data leakage through a disgruntled employees will reduce the danger of this happening. Ensure that all marketing data is role-based and user level permissioned. Any data that is touched is logged, also lock down computers for usb devices. Also a CRM systems should be implemented with Role based permissions. Create a Business Continuity Plan that includes data leakage. Catastrophic Event or Other Natural Disaster Damaged reputation and lost revenue from clients Likely to Occur: 61-90% Prolonged disruptions to business operations will result in clients migrating to competitors After a catastrophic event, the number one priority is restoring trust and faith from employees, clients, and the general public Non-sensitive data should accessible across all facilites using collaboration tools like SharePoint Publish changes to emergency action plan Standard Operating Procedures (SOPs) Standard operating procedures guides were inaccessible during a disk failure impacting the company's file server. SOPs are important documents that detail steps taken to fulfill a specific task and/or milestone. Company's generally store this information in file servers also known as shared drive. File servers generally consists of several drives/disks that replicate with each other providing redundancy. Inability to access SOPs can impact operations if employees are unfamiliar with a specific task. No existing measures are set in place for this scenario. File servers are considered obsolete in most organizations with the adoption of cloud computing such as Microsoft One Drive. Obtain contract for Microsoft OneDrive to store shared documentations such as SOPs. All important documentation such as SOPs will be uploaded into Microsoft OneDrive for easy access and availability. The incident reporting database was involved in the same flood that affected the product database affecting how the company handles incidents and customers issues. Datacenter experienced a flood affecting servers in that location. One of the specific servers that was damaged was the product database server. Without this server, new information has been disabled. All locations have low risk of flooding. The chances of all locations being flooded at the same time is very minimal. Email and alternate communications are available to handle customer's concerns. Internal issues can be reported via alternate means. Operational data is retained across all locations. Accounting data is only retained at HQ. All data with the exception of Accounting replicates across each locations meaning that redundancy and backups are available. Material supply interruptions/ Production delays Will lead to missing deadlines If the company experiences a fire supply chain will be interrupted Lower potential in closing deals Having a BCP in place will insure continuous supply Ensure all payments are made in advance Establish clear procedures to be followed in case of fire